Disclaimer: This article is only used for study and research, prohibited for illegal use, if there is infringement, please contact me to delete, thank you!
Today to give you to analyze and restore a test of JS encryption, do crawler should know this verification code, if you have not encountered later you will encounter believe me
No more words, time is precious, let’s get down to business!
caught
Enter the official website, click to select today’s theme sliding verification, other authentication types of encryption is much the same, as long as you master the following method!
Click the button to capture the packet, drag at will, the request packet is as follows
You can see a bunch of request parameters, and all you really need to do is encrypt w
Click in and you’ll see an encrypted JS file, saved locally for analysis.
AST reduction
Debugging shows that there is a lot of Unicode encoding and confusion of array names
The traditional solution is to type in the browser console and see what it looks like, but that’s too much work, so let’s use AST to restore it!
First restore the unicode, opened the AST online analytical website (https://blogz.gitee.io/ast/) [1]
Put in the code to be restored
As you can see, you just need to delete the extra attribute to restore the original value. The traversal code is as follows:
const parser = require("@babel/parser");
const traverse = require("@babel/traverse").default;
const t = require("@babel/types"); // Functions that manipulate nodes, such as determining node types, generating new nodes, etc.
const generator = require("@babel/generator").default; // Generate the restored code
const fs = require('fs');
var jscode = fs.readFileSync("./slide.js", {
encoding: "utf-8"
});
const visitor = {
StringLiteral(path) {
delete path.node.extra
}
}
let ast = parser.parse(jscode);
traverse(ast, visitor);
let {code} = generator(ast, opts = {jsescOption: {"minimal": true}});
fs.writeFile('decode_slide.js', code, (err)=>{});
Copy the code
Note that jscode is the JS code that was previously saved. Finally, write the restored code to the decode_slide.js file
Next comes the restoration of the obfuscation array. Looking at the debugging code, all the arrays are based on the large array kbbji. $_Co at the beginning of the JS file, and the array is assigned to a number of variables whose names are randomly generated.
So what we need to do is find these variable names and replace them with the corresponding string values!
AST online parsing
According to the result of parsing, write the corresponding traversal code
const visitor = {
VariableDeclaration(path){
const {declarations} = path.node;
if(! t.isMemberExpression(declarations[0].init))return;
if(declarations[0].init.property.name ! = ="$_Co")return;
if(declarations.length ! ==3 || declarations[0].init.property === undefined)return;
let value1 = declarations[0].id.name;
let value2 = declarations[2].id.name;
new_array.push(value1, value2);
}
};
Copy the code
$_DFCB(66); $_DFCB(66); $_DFCB(66);
You’ll be smart enough to write restored code in no time. After the previous steps, the code looks like this
According to the keywords will soon be able to search the encryption location, clearly visible! You can’t find it without restoring it. After restoration, we can quickly locate the encryption position on the website and hit the breakpoint
You can see at a glance how different the readability of the same code is. You think this is the end of it? No!
Reres replacement
Now that the code has been restored, but when we debug on the site, the code is still confused, what can we do?
Reres, another artifact, maps requests locally, meaning you can use local JS instead of remote JS files.
Use reference it directly making https://github.com/annnhan/ReRes [2]
Well, with this thing, we can use restored JS on the website to debug, too strong!
The effect is as follows:
TQL, this encryption parameters buckle up no pressure bar!
TQL back to get the relevant code!
The resources
[1]
https://blogz.gitee.io/ast/: https://blogz.gitee.io/ast/
[2]
https://github.com/annnhan/ReRes: https://github.com/annnhan/ReRes